IETF Logo Mail Archive

Re: [tcpinc] Quick review of draft-rescorla-tcpinc-tls-option-04

Eric Rescorla <ekr@rtfm.com> Wed, 21 October 2015 16:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB00D1B2A19 for <tcpinc@ietfa.amsl.com>; Wed, 21 Oct 2015 09:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2Hre7bXM9ae for <tcpinc@ietfa.amsl.com>; Wed, 21 Oct 2015 09:19:52 -0700 (PDT)
Received: from mail-yk0-f173.google.com (mail-yk0-f173.google.com [209.85.160.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE70B1A9128 for <tcpinc@ietf.org>; Wed, 21 Oct 2015 09:19:51 -0700 (PDT)
Received: by ykaz22 with SMTP id z22so54760830yka.2 for <tcpinc@ietf.org>; Wed, 21 Oct 2015 09:19:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=uQOxkC7FjL8e0pEAfE0V1ucD92T6xVX2t7LM8VMcoVA=; b=TxrqLcKaSmcu3+8xiIY33/iXWUzA4HzujsP53QWUp0wDWkOyYexb+C/pwpH7qvcfRb 3ZoyVLjH2eKyE1+8IdeRjaiNE5vu3gle0Ow5CHKqIPYM0le5ikR5T0AJi/ffOaCBePJ8 ZZ/1U3KT9wIYjguUHXcSbXh0NXWrAwHo3Nfr0A0uQVQti8UeU7wkXRUGlWlglKsxbIox TEb/YVlvmFNpypuqWzuBZ+jK2Ziyr0nYgErq78nUNd4yDo/I1viIlUR2YsD7OZbpDQ63 ayiqXN7S19SRCKGrtqgvAMli8PlV3DU7TWH65cNmSuviNCbX2EtAWk9MVYhgeaEthP1P U1cQ==
X-Gm-Message-State: ALoCoQk3/Syqsueixk6tPoxVakyckeTTqWvSqiPCrTCJRSKjjAgMl2rCggqbwQ2WUsaPj8ZW5N5U
X-Received: by 10.13.216.141 with SMTP id a135mr7299777ywe.12.1445444391139; Wed, 21 Oct 2015 09:19:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.221.85 with HTTP; Wed, 21 Oct 2015 09:19:11 -0700 (PDT)
In-Reply-To: <5627B7CF.6080505@tik.ee.ethz.ch>
References: <07616023-76C2-4418-BCCC-47B40391DC5D@tik.ee.ethz.ch> <CABcZeBOT0k0eAQ--+=BG9dEg-irwaQiP+d8JiaAPwmK6Mogt7w@mail.gmail.com> <5627B7CF.6080505@tik.ee.ethz.ch>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Oct 2015 09:19:11 -0700
Message-ID: <CABcZeBPMRN4BA46dGQMyNcdZbMhQ7OoughcoT7zMDac79KdfDw@mail.gmail.com>
To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Content-Type: multipart/alternative; boundary="001a114e488a7a2dad05229fbfad"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/_FQWPnvWDpYW0A4OvfXhDMcPyYc>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Quick review of draft-rescorla-tcpinc-tls-option-04
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 16:19:54 -0000

On Wed, Oct 21, 2015 at 9:05 AM, Mirja Kühlewind <
mirja.kuehlewind@tik.ee.ethz.ch> wrote:

> Hi Ekr,
>
> see inline.
>
> On 18.10.2015 16:23, Eric Rescorla wrote:
>
>>  > Hi Ekr,
>>  >
>>  > I did a quick review of draft-rescorla-tcpinc-tls-option-04, as an
>> individual (not as chair).
>>  >
>>  > Thanks for putting all the explanational text in there; at least for me
>> that was very helpful. I have a few comments and (potentially stupid)
>> questions:
>>  >
>>  > 1) Section 2 say that if there is a decryption failure/finished
>>  > failure, endpoint SHOULD signal a connection failure. Does it mean
>>  > that endpoint SHOULD/MUST also send a TCP RST? And do we really,
>>  > really need to close the connection here, or is there maybe a way to
>>  > think about falling back to TCP only…?
>>
>> I don't know if we *really* need to, but my reasoning here is that
>> we now know that the middlebox messed with the data and so failing
>> the connection is safer.
>>
>
> Not sure what safer in this sense actually means, but the point I was
> trying to make is, that this might be a case, where a connection might fail
> when trying to use tcpinc while a regular tcp connection might succeed. An
> application that does not even know that it is using tcpinc, thus might not
> be able to connect.


Well, as David points out, ENO specifically prohibits this. And I've
modified the
draft to say that.



>  > 2) The current proposal has the possibility that both endpoints
>>  > might not support the same chipper suite and therefore tcpinc will
>>  > not be used. Should we maybe think about picking a default one (or
>>  > set of default ones that can be ordered by preference) that must be
>>  > supported. I know that's hard, but for tcpinc, as the intention is
>>  > anyway ‚just‘ opportunistic encryption, that might make more
>>  > sense. Maybe we can specify something while at the same time saying
>>  > that the server should not expect that a specific chiper suite will
>>  > be available such that we still have a change to deprecate this
>>  > specification later…
>>
>> Well, there already is an MTI cipher suite (see: S. 3.5), but
>> someone could always be noncompliant, right?
>>
>
> Actually I overlooked this. However, to be correct you probably have to
> say that one should not only implement those but also offer at least one of
> them with the ClientHello.


 I could live with that.


 > 5) Section 3.2. says „… MUST respond to renegotiation with fatal
>>  > „no_renegotiation“ alert“. What does this mean for the TCP
>>  > connection?
>>
>> You should fail the connection. Any failure post-handshake should
>> lead to the same result.
>>
>
> My point is that 'fail the connection' does not mean anything for someone
> who want to implement this in TCP. I guess you mean send a TCP RST and
> close the socket connection...?


Yes. Once you adopt the position in ENO that you can only send ciphertext
then this naturally follows:

   Conversely, if a host receives an ACK segment containing an ENO
   option, then encryption MUST be enabled.  From this point the host
   MUST follow the encryption protocol of the negotiated spec and MUST
   NOT present raw TCP payload data to the application.  In particular,
   data segments MUST contain ciphertext or key agreement messages as
   determined by the negotiated spec, and MUST NOT contain plaintext
   application data.


 > 8) Further the draft says in section 6, that there are two options
>>  > for implementation. And I disagree there. tcpinc should always be
>>  > implemented in the kernel and only if there is potentially an app
>>  > that also implements TLS there might be a config option to allow the
>>  > app to do the TLS handling if successfully negotiated in TCP. It is
>>  > not an option to have a tcpinc implementation that relies on the
>>  > possibility that the app might have TLS implemented because then we
>>  > are end up at a the state where we already are.
>>
>> We're defining a wire protocol here, so specifying particular
>> implementation tactics seems out of scope. With that said, I
>> don't think your assessment that we're back at the same state
>> we always were. As I think I pointed out when I first introduced
>> this draft, it addresses two problems with the same wire protocol:
>>
>> 1. The basic TCPINC use case.
>> 2. Out-of-band negotiation of application-level TLS.
>>
>> An application-level implementation is totally consistent with #2.
>>
>
> First of all, you have a section on implementation in the draft, I'm just
> commenting on what's written there.
>
> I think David, made this point as well: tcpinc is charter for case 1, that
> means there MUST be a kernel implementation.


I don't think this follows at all. The charter doesn't say anything about
kernel
implementations. It says "The protocol must be usable by unmodified
applications" and
"The protocol must not require any authentication or configuration", but
neither
of these require a *kernel* implementation. For example, one might implement
things with a divert socket (as the tcpcrypt implementation at
https://github.com/scslab/tcpcrypt does, though I know they have a kernel
implementation.). So this means you need a whole-system implementation
but doesn't mean you need a kernel one.

Another concrete scenario (which is attractive for a TLS implementation) is
to
use a minimal kernel component (or a divert socket) to do the ENO options
with a modified libc to actually do the TLS negotiation and data handling.
This would also provide system-wide support but would not be in the kernel.
I don't see anything in the charter which prohibits this.



> Case 2 might be supported but doesn't have to to fulfill our charter. Of
> course I agree that case 2 makes a lot of sense if we use tls.
>
> However, the point is, as long as the doc says that you can fulfill the
> specification of tcpinc even though you have an implementation that only
> uses tcpinc if TLS is supported by the app, this doc is not a tcpinc doc
> because it does not address our charter.


I think this is kind of a semantic distinction, but would you consider it
satisfactory
if this were rewritten to indicate that it is possible to build an
implementation which will
interoperate with a system-wide implementation (scenario 1) using solely an
application-level
technique?

-Ekr

v2.23.0 | Report a Bug | By Email